CVE-2022-40982 – hw: Intel: Gather Data Sampling (GDS) side channel vulnerability
https://notcve.org/view.php?id=CVE-2022-40982
Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. La exposición de información a través del estado microarquitectónico tras la ejecución transitoria en determinadas unidades de ejecución vectorial de algunos procesadores Intel(R) puede permitir a un usuario autenticado la divulgación potencial de información a través del acceso local. A Gather Data Sampling (GDS) transient execution side-channel vulnerability was found affecting certain Intel processors. This issue may allow a local attacker using gather instruction (load from memory) to infer stale data from previously used vector registers on the same physical core. • http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html https://access.redhat.com/solutions/7027704 https://aws.amazon.com/security/security-bulletins/AWS-2023-007 https://downfall.page https://lists.debian.org/debian-lts-announce/2023/08/msg00013.html https://lists.debian.org/debian-lts-announce/2023/08/msg00026.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HKKYIK2EASDNUV4I7EFJKNBVO3KCKGRR https://lists.fedoraproject.org • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy CWE-1342: Information Exposure through Microarchitectural State after Transient Execution •
CVE-2023-25136 – openssh: the functions order_hostkeyalgs() and list_hostkey_types() leads to double-free vulnerability
https://notcve.org/view.php?id=CVE-2023-25136
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible." OpenSSH server (sshd) v9.1 introdujo una vulnerabilidad de doble liberación durante el manejo de "options.key_algorithms". • https://github.com/Christbowel/CVE-2023-25136 https://github.com/nhakobyan685/CVE-2023-25136 https://github.com/adhikara13/CVE-2023-25136 https://github.com/jfrog/jfrog-CVE-2023-25136-OpenSSH_Double-Free https://github.com/H4K6/CVE-2023-25136 https://github.com/ticofookfook/CVE-2023-25136 https://github.com/malvika-thakur/CVE-2023-25136 https://github.com/Business1sg00d/CVE-2023-25136 http://www.openwall.com/lists/oss-security/2023/02/13/1 http://www.openwall.com/lists • CWE-401: Missing Release of Memory after Effective Lifetime CWE-415: Double Free •
CVE-2021-33060
https://notcve.org/view.php?id=CVE-2021-33060
Out-of-bounds write in the BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access. Una escritura fuera de límites en el firmware de la BIOS para algunos procesadores Intel(R) puede permitir que un usuario autenticado permita potencialmente una escalada de privilegios por medio de acceso local. • https://security.netapp.com/advisory/ntap-20220930-0004 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00686.html • CWE-787: Out-of-bounds Write •
CVE-2022-36879 – kernel: xfrm_expand_policies() in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice
https://notcve.org/view.php?id=CVE-2022-36879
An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. Se ha detectado un problema en el kernel de Linux versiones hasta 5.18.14. la función xfrm_expand_policies en el archivo net/xfrm/xfrm_policy.c puede causar que un refcount sea descartado dos veces A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). An error while resolving policies in xfrm_bundle_lookup causes the refcount to drop twice, leading to a possible crash and a denial of service. • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=f85daf0e725358be78dfd208dea5fd665d8cb901 https://github.com/torvalds/linux/commit/f85daf0e725358be78dfd208dea5fd665d8cb901 https://lists.debian.org/debian-lts-announce/2022/09/msg00011.html https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html https://security.netapp.com/advisory/ntap-20220901-0007 https://www.debian.org/security/2022/dsa-5207 https://access.redhat.com/security/cve/CVE-2022-36879 https://bugzilla.r • CWE-911: Improper Update of Reference Count •
CVE-2022-1434 – Incorrect MAC key used in the RC4-MD5 ciphersuite
https://notcve.org/view.php?id=CVE-2022-1434
The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. • https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7d56a74a96828985db7354a55227a511615f732b https://security.netapp.com/advisory/ntap-20220602-0009 https://www.openssl.org/news/secadv/20220503.txt • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •